Security in the Sky with Diamonds

A new colleague asked me recently how I felt about “all the security issues in the sky”. At first, I wondered if I had missed a news story about break-ins at Rupert Murdoch’s satellite TV network. After a little probing it transpired that when she talked of “sky computing” she meant “cloud computing”. Ah, at last we were finally on the “same page”.

It is hard enough explaining what “cloud computing” is to some not in IT. It is even more challenging to teach them about the underlying security issues. There are a range of cloud models from remote hosting to SaaS, but for me, I like the definition of cloud computing that I learned from William Fellows of the 451-Group :

“A cloud is formed upon automatically managed, flexible shared infrastructure, where users help themselves to services via an access API with a per-use pricing model.”

I like to call this the “Pay-per-drink” model of cloud computing. Examples of current cloud computing providers include GoogleApps and Amazon Web Services. Many applications already exist running in the cloud and vary from personal finance management services/sites to security log analysis services. William Fellows also highlights the many barriers to adoption for cloud computing – the key issues are Security, Regulatory Compliance, and Retail Payment methods.

Like all IT systems, there are challenges to provide the usual C-I-A thinking of security (Confidentiality - Integrity - Availability) to systems deployed using the cloud computing model. For me, security is about ensuring that systems can only do what you want them to do – and enforcing that they can do no more. Attacks are typically users doing things in the systems that you don’t want – either because access controls are weak or inappropriate, or due to appalling application development whereby the functionality of the deployed system goes beyond what was expected.

Back to sky computing – I am not sure whether the sky is falling or the clouds are lifting (apologies for the appalling puns) maybe as 2010 unfolds it will all become clear.

Are Clouds Compliant?

Today I was part of a panel where we debated whether Clouds are compliant. The session was part of the BrightTalk online Cloud Computing Summit and was hosted by Peter Judge, UK Editor, eWeek Europe. I was joined by IBM's James Rendall, and Paul Roberts of The 451 Group and we participated in a lively session.

The questions we worked through were:
Q1. Do you trust the cloud?
Q2. Are clouds compliant?
Q3. Is compliant a barrier to adoption?
Q4. How should we make clouds compliant?

There was online polling of the audience with clear majority responses being as follows: Q1 – No; Q2 -No, and Q3 - Yes.

Question 4 was the most interesting for me. We actually debated two courses of action. First, "Change clouds to accommodate regulation". Alternatively, "Change regulations to accommodate clouds". A cheeky 25% of the audience voted for the latter! This is like raising the speed limit on the roads because it is impossible to stop motorists from speeding. Is this a good idea?

I cynically pointed out that the underlying context is not peculiar to cloud -- and is commonly observed in other computing architectures. IT is a business enabler – and businesses want to make profits. Once a profit making system is in place, it is only then that organizations get concerned about compliance and security issues. Alas, the elasticity and remote nature of cloud infrastructures make retro-fitting security devices (e.g. firewalls) nearly impossible. The only way to achieve the retrofitting of security into the cloud is if you can make the security technology ‘cloud hostable’ and have it inserted seamlessly into the underlying fabric. Perhaps a DataWall for the cloud – watch this space.

Steve Moyle

Why, even after Twitter, the Cloud is safe. Secerno weighs in

This week, the after effects of the Twitter‘s May breach became known, with confidential employee and company information being acquired and sent to TechCrunch. At a macro level, the information shows the potentially embarrassing data that exist in every company and that no executive, shareholder, customer, employee or partner would want to see revealed.

For Twitter these include names of senior executives who interviewed for positions at the company and are currently employed elsewhere, earnings projections, new product information, and floor plans.

What is interesting to those of us in the security industry is what the breach initially appears to be – a security failure in the Cloud, and what it really is – an exploit of the password recovery system and other features of Google Apps.

Cloud is no more secure or less secure than any other environment, and what happened at Twitter could have easily occurred in a traditional implementation. This breach indicates, at the very least, that traditional password protection practices were not being followed. This is not surprising considering the stress placed on current IT budgets that results in security updates and practices being delayed. For every organization that holds information that could be deemed embarrassing if made public (so, everyone), Twitter serves as reminder that open does not mean secure and the protection needs to come from provide the appropriate care at the level of the data itself.

Steve Moyle

Cloud Computing Expo

Yesterday I was an invited speaker at the Cloud Expo Europe 2009. I spoke about “Securing Virtualized Database Assets” highlighting many items covered in an earlier post. It was interesting to be part of a forum that is substantially different from the Information Security forum – no big vendors like McAfee or Symantec. IBM were at the Cloud Expo and Bob Sutor gave a strong keynote. A few of the exhibitors were organizations providing hosting, whilst others were Linux distribution companies (e.g. RedHat and Ubuntu).

The security of a Could computing environment requires the same care and attention to other platforms. As BT's Bruce Schneier says, cloud computing is like existing outsourcing arrangements which require an element of "trust". Cloud computing also provides opportunities for security vendors. It allows them to make use of utility computing plus shared intelligence to provide a higher quality protection in a shorter time window. This approach of putting security in the cloud is what [Trend Micro CEO, Eva Chen, spoke about on our panel session at RSA last month. The collective intelligence plus the accessible compute power provided in a cloud environment can be deployed for non-realtime security functions like email scanning.

There is still much to be sorted out for how data access in the cloud can be performed in a uniform and secure manner. Those organizations that are hosting virtualized databases in the cloud must ensure they are adequately protected.

Steve Moyle